Josh Bressers: Measuring security: Part 2 – The cost of doing business

If you’ve not read my last post on measuring security you probably should. It talks about how to measure the security of things that make money. That post is mostly focused on things like products that directly generate revenue. This time we’re going to talk about a category I’m calling the cost of doing business.

The term “cost of doing business” is something I made up so I could group these ideas in some sensible way. At least sensible to me. You probably can’t use this with other humans in a discussion, they won’t know what you’re talking about. If I had a line graph of spending I would put revenue generating on one side, the purse cost centers on the other side. The cost of doing business is somewhere in the middle. These are activities that directly support whatever it is the organization does to make new money. Projects and solutions that don’t directly make money themselves but do directly support things being built that make money.

The cost of doing business includes things like compliance, sending staff to meetings, maybe regulatory requirements. Things that don’t directly generate revenue but you can’t move forward if you don’t do these things. There’s not a lot of options in many cases. If you don’t have PCI compliance, you can’t process payments, you can’t make any money, and the company won’t last long. If you don’t attend certain meetings nobody can get any work done. Regulated industry must follow their requirements or the company can often just be shut down. Sometimes there are things we have to do, even if we don’t want to do them.

In the next post we’ll talk about what I call “infrastructure”, these are the things that are seen as cost centers and often a commodity service (like electricity or internet access). I just want to clarify the difference. Infrastructure is something where you have choice or can decide not to do it with a possible negative (or positive) consequence. Infrastructure is what keep the lights on at a bare minimum. Cost of doing business must be done to get yourself to the next step in a project, there is no choice, which changes what we measure and how we measure it.

The Example

Let’s pick on PCI compliance as it’s pretty easy to understand example. If you don’t do this it’s quite likely your company won’t survive, assuming you need to process card payments. If you’re building a new web site that will process payments, you have to get through PCI compliance, there is no choice, and the project cannot move forward until this is complete. The goal now isn’t so much measuring the return on an investment as it is being a good steward of the resources given to us. PCI requirements and audits are not cheap. If you are seen as making poor decisions and squandering your resources it’s quite likely the business will get grumpy with you.

Compliance and security aren’t the same thing. There is some overlap but it must be understood that you can be compliant and still get hacked. The overlap of compliance is a great thing to focus on for measuring what we do. Did your compliance program make you more secure? Can you show how another group used a compliance requirement to make something better? What if something compliance required saved some money on how the network was architected? There are a lot of side benefits to pay attention to. Make sure you note the things that are improvements, even if they aren’t necessarily security improvements.

I’ve seen examples where compliance was used to justify 2 factor authentication (2FA) in an organization, There are few things more powerful than 2FA that you can deploy. Showing compliance helped move an initiative like this forward, and also showing how the number of malicious logs drops substantially is a powerful message. Just turning on 2FA isn’t enough. Make sure you show why it’s better, how the attacks are slowed or stopped. Make sure you can show there were few issues for users (the people who struggle will complain loudly). If there is massive disruption for your users, figure out why you didn’t know this would happen, someone screwed something up that means. It’s important to measure the good and the bad. We rarely measure failure which is a problem. Nobody has a 100% success rate, learn from your failure.

What about attending a meeting or industry conference? Do you just go, file the expense report, and do nothing? That sounds like a waste of time and money. Make sure you have concrete actions. Write down what happened, why it was important you were there, how you made the situation better, and what you’re going to do next. How did the meeting move your project forward? Did you learn something new, or make some plans that will help in the future? Make sure the person paying your bills sees this. Make them happy to be providing you the means to keep the business moving forward.

The Cost

The very first step we have to consider when we want to measure what we’re doing is to do your homework and understand cost. Not just upfront cost but cost of machines, disk, people, services, anything you need to keep the business moving forward. If there are certain requirements needed for a solution make sure you understand and document it. If a certain piece of software or service has to be used show why. Show what part of the business can function because of the cost you’re providing. Remember this is going to be specific requirements you can’t escape. These are not commodity services and solutions. And of course the goal is to move forward.

If you inherit an existing solution take a good look at everything, make sure you know exactly what the resource cost of the solution is. The goal here isn’t always to show a return on investment, but to show that the current solution makes sense. Just because something costs less money doesn’t mean it’s cheaper. If your cut rate services will put the project in jeopardy you’re going to be in trouble someday. Be able to show this is a real threat. It’s possible a decision will be made to take on this threat, but that’s not always your choice. Always be able to answer the questions “if we do this what happens” and “if we don’t do this what happens”.

ConclusionThis topic is tricky. I keep thinking about it and even as I wrote this post it changed quite a lot from what I started to write. If you have something that makes money it’s easy to justify investment. If you have something that’s a pure cost center it’s easy to minimize cost. This middle ground is tricky. How do you show value for something you have to do but isn’t directly generating revenue? If you work for a forward looking business you probably won’t have to spend a ton of time getting these projects funded. Growing companies understand the cost of doing business.

I have seen some companies that aren’t growing as quickly fail to see value in the cost of doing business. There’s nothing wrong with this sometimes, but as a security leader your job is to make your leadership understand what isn’t happening because of this lack of investment. Sometimes if you keep a project limping along, barely alive, you end up causing a great deal of damage to the project and your staff. If leadership won’t fund something, it means they don’t view it as important and neither should you. If you think it is important, you need to sell it to your leadership. Sometimes you can’t and won’t win though, and then you have to be willing to let it go.